← Back to scan
File as GitHub Issue repo: bbartling/open-fdd

Push this scan report to bbartling/open-fdd

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Trojan Source bidi character (LRO) in source

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 Missing import: `sys` used but not imported workspace/api/openfdd_bridge/zone_temp_…:314
CRIT MINED107 Missing import: `warnings` used but not imported bacnet_toolshed/discover_points.py:175
CRIT MINED107 Missing import: `warnings` used but not imported bacnet_toolshed/discover_devices.py:113
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… workspace/api/static/app/assets/index-T…:3308
CRIT MINED123 Trojan Source bidi character (LRO) in source workspace/api/static/app/assets/index-T…:3962
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… workspace/dashboard/src/components/Home…:141
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… workspace/dashboard/src/components/Buil…:258
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… workspace/api/openfdd_bridge/routes/bui…:62
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… workspace/api/openfdd_bridge/routes/aut…:19
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… workspace/api/openfdd_bridge/routes/age…:63
HIGH SEC113 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first c… scripts/edge_restore_bacnet_inventory.sh:28
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… open_fdd/playground/sandbox.py:181
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… bacnet_toolshed/smoke_whois.py:76
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… bacnet_toolshed/nic_bind.py:57
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… bacnet_toolshed/merge_points_csv.py:24
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… bacnet_toolshed/bacnet_poll_loop.py:38
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … packages/openfdd-agent-shell/src/openfd…:80
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … open_fdd/engine/checks.py:112
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … bacnet_toolshed/bacnet_poll_loop.py:60
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… scripts/gl36_mechanical_validate.py:98
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… scripts/bacnet_add_devices_e2e.sh:55
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… bacnet_toolshed/bacnet_poll_loop.py:113
HIGH MINED106 Phantom test coverage: test_rule workspace/api/openfdd_bridge/routes/pla…:116
HIGH MINED108 `self.site_dir` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:290
HIGH MINED108 `self.read_site` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:287
HIGH MINED108 `self.shard_files` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:284
HIGH MINED108 `self.site_dir` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:274
HIGH MINED108 `self.shard_files` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:242
HIGH MINED108 `self.read_site_table` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:225
HIGH MINED108 `self.shard_files` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:195
HIGH MINED108 `self.list_sites` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:192
HIGH MINED108 `self.site_dir` used but never assigned in __init__ workspace/api/openfdd_bridge/feather_st…:159
HIGH MINED108 `self.getvalue` used but never assigned in __init__ workspace/api/openfdd_bridge/playground…:86
HIGH MINED108 `self._headers` used but never assigned in __init__ tests/workspace_bridge/conftest.py:70
HIGH MINED108 `self._headers` used but never assigned in __init__ tests/workspace_bridge/conftest.py:67
HIGH MINED108 `self._headers` used but never assigned in __init__ tests/workspace_bridge/conftest.py:64
HIGH MINED108 `self._headers` used but never assigned in __init__ tests/workspace_bridge/conftest.py:61
HIGH MINED108 `self._headers` used but never assigned in __init__ tests/workspace_bridge/conftest.py:58
HIGH MINED108 `self._headers` used but never assigned in __init__ tests/workspace_bridge/conftest.py:55
HIGH MINED106 Phantom test coverage: test_rules_on_frame scripts/setup_bench_afdd.py:168
HIGH MINED108 `self._authorized` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:610
HIGH MINED108 `self._read_json` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:614
HIGH MINED108 `self.path` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:612
HIGH MINED108 `self._authorized` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:498
HIGH MINED108 `self.path` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:500
HIGH MINED108 `self.rfile` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:493
HIGH MINED108 `self.headers` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:489
HIGH MINED108 `self.headers` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:486
HIGH MINED108 `self.address_string` used but never assigned in __init__ bacnet_toolshed/commission_agent.py:481
HIGH MINED134 Binary file `workspace/data/rules_py/__pycache__/acme_zone_temp_flatline_1h.cpython-312.p… workspace/data/rules_py/__pycache__/acm…:1
HIGH MINED115 Action `peter-evans/create-pull-request` pinned to mutable ref `@v7` .github/workflows/docs-pdf.yml:58
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/docs-pdf.yml:33
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/docs-pdf.yml:30
HIGH MINED115 Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1` .github/workflows/publish-open-fdd.yml:82
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/publish-open-fdd.yml:27
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/publish-open-fdd.yml:24
HIGH MINED115 Action `ruby/setup-ruby` pinned to mutable ref `@v1` .github/workflows/ci.yml:140
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/ci.yml:137
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/ci.yml:116
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/ci.yml:113
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/ci.yml:91
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/ci.yml:87
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/ci.yml:84
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/ci.yml:68
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/ci.yml:65
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/ci.yml:32
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/ci.yml:27
HIGH MINED115 Action `actions/deploy-pages` pinned to mutable ref `@v4` .github/workflows/docs-pages.yml:57
HIGH MINED115 Action `actions/upload-pages-artifact` pinned to mutable ref `@v3` .github/workflows/docs-pages.yml:43
HIGH MINED115 Action `ruby/setup-ruby` pinned to mutable ref `@v1` .github/workflows/docs-pages.yml:30
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v5` .github/workflows/docs-pages.yml:29
HIGH MINED118 Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest docker/Dockerfile:13
HIGH MINED118 Dockerfile FROM `node:22-bookworm-slim` not pinned by digest docker/Dockerfile:6
HIGH MINED131 pre-commit hook `https://github.com/psf/black` pinned to mutable rev `26.1.0` .pre-commit-config.yaml:2
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… infra/ansible/scripts/acme_operational_…:48
HIGH JRN009 Secret-like setting is echoed into a password input value workspace/dashboard/src/pages/LoginPage…:64
HIGH MINED112 FastAPI POST /drafts has no auth workspace/api/openfdd_bridge/routes/rul…:225
HIGH MINED112 FastAPI POST /ingest/bacnet has no auth workspace/api/openfdd_bridge/routes/bac…:501
HIGH MINED112 FastAPI POST /internal/bacnet/ingest-samples has no auth workspace/api/openfdd_bridge/routes/bac…:491
HIGH MINED112 FastAPI POST /api/bacnet/poll/once has no auth workspace/api/openfdd_bridge/routes/bac…:444
HIGH MINED112 FastAPI POST /api/bacnet/write has no auth workspace/api/openfdd_bridge/routes/bac…:381
HIGH MINED112 FastAPI POST /api/bacnet/supervisory-check has no auth workspace/api/openfdd_bridge/routes/bac…:373
HIGH MINED112 FastAPI POST /api/bacnet/point-discovery has no auth workspace/api/openfdd_bridge/routes/bac…:365
HIGH MINED112 FastAPI POST /api/bacnet/priority-array has no auth workspace/api/openfdd_bridge/routes/bac…:355
HIGH MINED112 FastAPI POST /api/bacnet/read-multiple has no auth workspace/api/openfdd_bridge/routes/bac…:343
HIGH MINED112 FastAPI POST /api/bacnet/read has no auth workspace/api/openfdd_bridge/routes/bac…:331
HIGH MINED112 FastAPI POST /api/bacnet/whois has no auth workspace/api/openfdd_bridge/routes/bac…:323
HIGH MINED112 FastAPI POST /api/bacnet/discover has no auth workspace/api/openfdd_bridge/routes/bac…:313
HIGH MINED112 FastAPI PATCH /api/bacnet/driver/device/remap has no auth workspace/api/openfdd_bridge/routes/bac…:299
HIGH MINED112 FastAPI DELETE /api/bacnet/driver/registry has no auth workspace/api/openfdd_bridge/routes/bac…:293
HIGH MINED112 FastAPI DELETE /api/bacnet/driver/device/{device_instance} has no auth workspace/api/openfdd_bridge/routes/bac…:288
HIGH MINED112 FastAPI DELETE /api/bacnet/driver/point/{point_id} has no auth workspace/api/openfdd_bridge/routes/bac…:283
HIGH MINED112 FastAPI PATCH /api/bacnet/driver/device has no auth workspace/api/openfdd_bridge/routes/bac…:271
HIGH MINED112 FastAPI PATCH /api/bacnet/driver/point has no auth workspace/api/openfdd_bridge/routes/bac…:259
HIGH MINED112 FastAPI POST /api/bacnet/driver/merge-rows has no auth workspace/api/openfdd_bridge/routes/bac…:250
HIGH MINED112 FastAPI POST /api/bacnet/driver/sync-discovery has no auth workspace/api/openfdd_bridge/routes/bac…:236
HIGH MINED112 FastAPI POST /api/bacnet/import-to-model has no auth workspace/api/openfdd_bridge/routes/bac…:216
HIGH MINED112 FastAPI POST /login has no auth workspace/api/openfdd_bridge/routes/aut…:20
HIGH MINED112 FastAPI POST /api/modbus/read_registers has no auth workspace/api/openfdd_bridge/routes/mod…:77
HIGH MINED112 FastAPI POST /tools/get_doc_section has no auth workspace/mcp_rag/app.py:95
HIGH MINED112 FastAPI POST /tools/search_docs has no auth workspace/mcp_rag/app.py:88
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… workspace/api/openfdd_bridge/playground…:55
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… workspace/api/openfdd_bridge/brick_mode…:171
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… workspace/api/openfdd_bridge/auth.py:124
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … open_fdd/playground/sandbox.py:155
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/agent_tool…:476
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/building_s…:36
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/playground…:190
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/playground…:315
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/fdd_runner…:214
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/ollama_cli…:258
MED MINED111 Bare except continues silently workspace/api/openfdd_bridge/ollama_cli…:342
MED MINED111 Bare except continues silently scripts/validate_acme_rules_pypi.py:77
MED MINED111 Bare except continues silently scripts/setup_gl36_fdd.py:227
MED MINED111 Bare except continues silently scripts/build_docs_pdf.py:77
MED MINED111 Bare except continues silently bacnet_toolshed/commission_agent.py:685
MED MINED111 Bare except continues silently bacnet_toolshed/commission_agent.py:676
MED MINED111 Bare except continues silently bacnet_toolshed/commission_agent.py:667
MED MINED111 Bare except continues silently bacnet_toolshed/commission_agent.py:658
MED MINED111 Bare except continues silently bacnet_toolshed/commission_agent.py:649
MED MINED111 Bare except continues silently bacnet_toolshed/commission_agent.py:219
MED MINED111 Bare except continues silently bacnet_toolshed/discover_points.py:71
MED MINED111 Bare except continues silently bacnet_toolshed/discover_points.py:63
MED MINED111 Bare except continues silently bacnet_toolshed/bacnet_poll_loop.py:115
MED MINED111 Bare except continues silently bacnet_toolshed/bacnet_poll_loop.py:87
MED MINED111 Bare except continues silently bacnet_toolshed/discover.py:103
MED MINED111 Bare except continues silently bacnet_toolshed/discover.py:96
MED MINED111 Bare except continues silently bacnet_toolshed/bacnet_ops.py:167
MED MINED111 Bare except continues silently bacnet_toolshed/discover_lib.py:121
MED MINED111 Bare except continues silently bacnet_toolshed/rpm.py:63
MED COMP001 [COMP001] High cognitive complexity: Function `run_discover` has cognitive complexity 15 … bacnet_toolshed/discover.py:34
MED DEPCUR-NPM npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2) workspace/dashboard/package.json
MED GHSA-mr82-8j83-vxmv pydantic: GHSA-mr82-8j83-vxmv bacnet_toolshed/requirements.txt
MED JRN002 Browser storage is used for session token material workspace/dashboard/src/lib/api.ts:143
MED JRN002 Browser storage is used for session token material workspace/dashboard/src/lib/api.ts:133
MED JRN002 Browser storage is used for session token material workspace/dashboard/src/lib/api.ts:55
MED DKR001 Docker final stage has no non-root USER docker/Dockerfile:83
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AGT012 Agent control bridge may listen on a network interface without visible auth infra/ansible/group_vars/pi_bcn.yml:63
MED AGT012 Agent control bridge may listen on a network interface without visible auth docker/bridge-entrypoint.sh:10
MED AGT015 Remote install command pipes network code directly to a shell scripts/bootstrap_ollama.sh:104
LOW COMP001 [COMP001] High cognitive complexity: Function `load_points_csv` has cognitive complexity … bacnet_toolshed/config.py:107
LOW COMP001 [COMP001] High cognitive complexity: Function `poll_interval_s` has cognitive complexity … bacnet_toolshed/bacnet_poll_loop.py:22
LOW DEPCUR-NPM npm package `plotly.js-dist-min` is minor version(s) behind (3.5.1 -> 3.6.0) workspace/dashboard/package.json
LOW DEPCUR-NPM npm package `@tanstack/react-query` is minor version(s) behind (5.100.14 -> 5.101.0) workspace/dashboard/package.json
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/oob_rolling.py:2
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/oob_rolling.py:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/flatline_1h.py:8
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/flatline_1h.py:3
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/duct-t_spread_1…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/duct-t_flatline…:17
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/duct-t_flatline…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_stat_zn-t…:17
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_stat_zn-t…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_oa-t_out_…:2
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_oa-t_out_…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_oa-t_flat…:17
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_oa-t_flat…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_humidity_…:2
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/bench_humidity_…:17
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/ahu_run_hours.py:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/ahu_afterhours_…:2
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/acme_zone_temp_…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/acme_zone_temp_…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/acme_duct_stati…:1
LOW AIC003 Duplicated implementation block across source files workspace/data/rules_py/acme_discharge_…:1
LOW AIC003 Duplicated implementation block across source files workspace/dashboard/src/lib/insightType…:2
LOW AIC003 Duplicated implementation block across source files workspace/dashboard/src/components/Tele…:34
LOW AIC003 Duplicated implementation block across source files workspace/api/openfdd_bridge/timeseries…:263
LOW AIC003 Duplicated implementation block across source files workspace/api/openfdd_bridge/runtime_me…:52
LOW AIC003 Duplicated implementation block across source files workspace/api/openfdd_bridge/runtime_me…:49
LOW AIC003 Duplicated implementation block across source files workspace/api/openfdd_bridge/rule_store…:79
LOW AIC003 Duplicated implementation block across source files workspace/api/openfdd_bridge/fdd_result…:34
LOW AIC003 Duplicated implementation block across source files workspace/api/openfdd_bridge/bacnet_dri…:485
LOW AIC003 Duplicated implementation block across source files scripts/merge_poll_discovery_gap.py:8
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKR012 Dockerfile keeps pip download cache docker/Dockerfile:86
LOW DKR012 Dockerfile keeps pip download cache docker/Dockerfile:40
LOW DKR012 Dockerfile keeps pip download cache docker/Dockerfile:34
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … workspace/dashboard/src/components/TabD…:34
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … workspace/dashboard/src/components/Rule…:148
INFO MINED065 [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser o… workspace/api/openfdd_bridge/settings.py:27
INFO MINED065 [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser o… workspace/api/openfdd_bridge/main.py:32
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… skills/easy-aso-bench-sidecar/scripts/e…:14
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. packages/openfdd-agent-shell/src/openfd…:9
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. packages/openfdd-agent-shell/src/openfd…:93
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. open_fdd/schema/fdd_result.py:15
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/gl36_site_model.py:155
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/gl36_mechanical_validate.py:262
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. infra/ansible/scripts/acme_operational_…:48
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… scripts/check_lan_firewall.sh:49
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… infra/ansible/scripts/acme_operational_…:42
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… infra/ansible/acme_go_live.sh:50
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… bacnet_toolshed/nic_bind.py:58
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… bacnet_toolshed/merge_points_csv.py:25
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… bacnet_toolshed/bacnet_poll_loop.py:39
Reset to top 5 196 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `bbartling/open-fdd`

**Score: 55/100 (B)**  ·  213 findings  ·  scanned 2026-06-05 13:06 UTC  ·  45,420 LOC

| Severity | Count |
|---|---|
| CRITICAL | 5 |
| HIGH | 96 |
| MEDIUM | 40 |
| LOW | 38 |

📊 [Full filterable report](https://repobility.com/scan/263848d0-b8f2-4c3c-acce-63b1e80054da/)  ·  ![scorecard](https://repobility.com/scan/263848d0-b8f2-4c3c-acce-63b1e80054da/report.png?v=1780664813-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `sys` used but not imported
   `workspace/api/openfdd_bridge/zone_temp_analytics.py:314` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `warnings` used but not imported
   `bacnet_toolshed/discover_points.py:175` · ✓ Repobility
3. **CRITICAL** `MINED107` — Missing import: `warnings` used but not imported
   `bacnet_toolshed/discover_devices.py:113` · ✓ Repobility
4. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `workspace/api/static/app/assets/index-TRH4YIfA.js:3308`
5. **CRITICAL** `MINED123` — Trojan Source bidi character (LRO) in source
   `workspace/api/static/app/assets/index-TRH4YIfA.js:3962` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/263848d0-b8f2-4c3c-acce-63b1e80054da/_
Megaproject â high spam risk
Could not determine 'bbartling/open-fdd' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.